IANS Perspective

This series of blogs is intended to give Information Security professionals some ideas on building quality relationships within their enterprise. Successful relationship building is sometimes defined as the ability to move your strategic goals forward in the organization. However, I believe that success expands beyond your strategic goals; to me real success achieves your goals and helps others achieve theirs.

Information Security and Software Development haven’t always been well aligned in establishing complementary goals. For Information Security, the Software Development team is the source of coding errors, vulnerabilities and potential weaknesses which necessitate identification, triage and remediation – preferably prior to implementation or ASAP in post-go live situations. Software Development perceives Information Security as a department solely focused on finding fault with their work. When Information Security gets involves, software developers have to take time to go through manual and automated code reviews, to justify against inaccurate or erroneous findings, and to develop and test code fixes while trying to meet already tight delivery dates. Transforming this potentially adversarial relationship into something collaborative and mutually beneficial can be done – but it may take some effort.

1. Clearly state your expectations – Have you provided the relevant sections of the information security policy to the team? Developers may not have a clear understanding or even access to the information security policy. Visit a staff meeting, talk with developers and explain the overall objectives of InfoSec at your organization. In most cases people want to play by the rules, they just need to know what they are. Pay special attention to giving them your authentication rules, password requirements and session timeout policies. Developers understand that it’s much cheaper to abide by the requirements in advance rather than make the changes after the code has already gone through QA.
2. Training – It’s possible that your developers never received training in secure code development. Work with the management team to include secure code development as part of the training and education plan. If your budget can support it, fund a portion of the training class, or offer the classes in-house with a member of your staff as a “train the trainer” program.
3. Create reference materials – Developing in-house guides and instruction books: it pays off in quality code. Describe buffer overflow conditions, the rationale between using PUT and GET commands, or explain cross-site scripting (XSS) attacks. Even providing them with a list of known bad characters to filter out of input can transform the Information Security team from a tattle-tale into a problem solver.
4. Be prepared to listen – Most development teams have an evangelist; someone who’s passionate about their coding knowledge and loves to share it. Work with that developer – get his or her input into how to improve policy. Learn about existing work papers and ways you can work together to improve their content. Consider increasing the scope to include company best practices.
5. Reward the champions – The QA team knows which developers routinely submit the best code. Find out who they are and send a note to their boss with that information. If they are using custom developed routines, logic statements or other parts of the code library, share them – but be sure to credit the developer who did the work. Even remind the coding manager at performance review time.
6. Share the wealth – When you get content that will benefit the developer team, don’t silo it. Make sure it gets back to them. Bring info sheets and presentation notes from security conferences. Share articles and publications that will be of interest to the team. Don’t be afraid to invite them to attend security conferences, multimedia briefings, lunch and learn sessions, or anything else you believe might improve their knowledge in the area of coding for information security.

In order to remain competitive in their field, developers know they must continually invest in their skills, and most are aware that hiring managers want to bring on experienced coders with a robust skill set. Helping them improve and market their skills will quickly pay off. By noticing and reporting on the quality of the developer team, InfoSec switches from an affliction to an ally. Most importantly you can convert your relationship with the developer team from a policing role to a mutually supportive relationship. Perhaps you’ll see the day when you’ll be getting calls from the developer team when they need help – and they refer to you as a key partner.